With rise of the Internet of Things (IOT), an increasing number of everyday devices are networked and continuously sending and receiving messages. Such devices may be manufactured by a variety of different vendors and may communicate using proprietary message formats. Controller Area Network (CAN) Bus systems, for example, are utilized in most modern automobiles to relay messages between different components in the automobiles. Although CAN bus systems utilize a common transport layer format to relay messages between devices (e.g., audio system components, brake system components, etc.) within an automobile, the messages often carry unique proprietary binary payload sub-formats and each include only a CAN identifier (CAN ID) and/or CAN bus identifier (Bus ID) with no source or destination information. Such messages may allow for efficient transmission of information between devices.
Detecting anomalies in messages may be useful for identifying various threats, such as, for example, intrusion by malicious parties or device malfunction or failure. However, anomaly detection, such as signature-based intrusion detection, is often unfeasible because the real-time flow of messages between devices may overwhelm available processing and storage limitations. Additionally, anomaly detection may be further complicated by the use of proprietary message formats that are not publicly available, making discovery and monitoring of the ground-truth binary schema for each message unfeasible for use with high-traffic networks. The instant disclosure, therefore, identifies and addresses a need for systems and methods for identifying message payload bit fields in electronic communications.